Rastrea2R - Collecting & Hunting For IOCs With Gusto And Style

Ever wanted to turn your AV console into an Incident Response & Threat Hunting machine? Rastrea2r (pronounced "rastreador" - hunter- in Spanish) is a multi-platform open source tool that allows incident responders and SOC analysts to triage suspect systems and hunt for Indicators of Compromise (IOCs) across thousands of endpoints in minutes. To parse and collect artifacts of interest from remote systems (including memory dumps), rastrea2r can execute sysinternal, system commands and other 3rd party tools across multiples endpoints, saving the output to a centralized share for automated or manual analysis. By using a client/server RESTful API, rastrea2r can also hunt for IOCs on disk and memory across multiple systems using YARA rules. As a command line tool, rastrea2r can be easily integrated within McAfee ePO, as well as other AV consoles and orchestration tools, allowing incident responders and SOC analysts to collect forensic evidence and hunt for IOCs without the need for an additional agent, with 'gusto' and style!

Dependencies

• Python 2.7.x
• git
• bottle
• requests
• yara-python

Quickstart

• Clone the project to your local directory (or download the zip file of the project)

$git clone https://github.com/rastrea2r/rastrea2r.git
$cd rastrea2r

• All the dependencies necessary for the tool to run can be installed within a virtual environment via the provided makefile.

$make help
help                           - display this makefile's help information
venv                           - create a virtual environment for development
clean                          - clean all files using .gitignore rules
scrub                          - clean all files, even untracked files
test                           - run tests
test-verbose                   - run tests [verbosely]
check-coverage                 - perform test coverage checks
check-style                    - perform pep8 check
fix-style                      - perform check with autopep8 fixes
docs                           - generate project documentation
check-docs                     - quick check docs consistency
serve-docs                     - serve project html documentation
dist                           - create a wheel distribution package
dist-test                      - test a wheel distribution package
dist-upload                    - upload a wheel distribution package

• Create a virtual environment with all dependencies

$make venv
//Upon successful creation of the virtualenvironment, enter the virtualenvironment as instructed, for ex:
$source /Users/ssbhat/.venvs/rastrea2r/bin/activate

• Start the rastrea2r server by going to $PROJECT_HOME/src/rastrea2r/server folder

$cd src/rastrea2r/server/
$python rastrea2r_server_v0.3.py
Bottle v0.12.13 server starting up (using WSGIRefServer())...
Listening on http://0.0.0.0:8080/

• Now execute the client program, depending on which platform you are trying to scan choose the target python script appropriately. Currently Windows, Linux and Mac platforms are supported.

$python rastrea2r_osx_v0.3.py -h
usage: rastrea2r_osx_v0.3.py [-h] [-v] {yara-disk,yara-mem,triage} ...

Rastrea2r RESTful remote Yara/Triage tool for Incident Responders

positional arguments:  {yara-disk,yara-mem,triage}

modes of operation
 yara-disk           Yara scan for file/directory objects on disk
 yara-mem            Yara scan for running processes in memory
 triage              Collect triage information from endpoint

optional arguments:
 -h, --help            show this help message and exit
 -v, --version         show program's version number and exit


Further more, the available options under each command can be viewed by executing the help option. i,e

$python rastrea2r_osx_v0.3.py yara-disk -h
usage: rastrea2r_osx_v0.3.py yara-disk [-h] [-s] path server rule

positional arguments:
path          File or directory path to scan
server        rastrea2r REST server
rule          Yara rule on REST server

optional arguments:
-h, --help    show this help message and exit
-s, --silent  Suppresses standard output

• For ex, on a Mac or Unix system you would do:

$cd src/rastrea2r/osx/

$python rastrea2r_osx_v0.3.py yara-disk /opt http://127.0.0.1:8080/ test.yar

Executing rastrea2r on Windows

• Apart from the libraries specified in requirements.txt, we need to install the following libraries
  

  • PSutil for win64: https://github.com/giampaolo/psutil
  • WMI for win32: https://pypi.python.org/pypi/WMI/
  • Requests: pip install requests

• Compiling rastrea2r

  Make sure you have all the dependencies installed for the binary you are going to build on your Windows box. Then install:
  

  • Pywin32: http://sourceforge.net/projects/pywin32/files/ ** Windows only
  • Pyinstaller: https://github.com/pyinstaller/pyinstaller/wiki

Currently Supported functionality

• yara-disk: Yara scan for file/directory objects on disk
• yara-mem: Yara scan for running processes in memory
• memdump: Acquires a memory dump from the endpoint ** Windows only
• triage: Collects triage information from the endpoint ** Windows only

Notes
For memdump and triage modules, SMB shares must be set up in this specific way:

• Binaries (sysinternals, batch files and others) must be located in a shared folder called TOOLS (read only)
  

  \path-to-share-foldertools

• Output is sent to a shared folder called DATA (write only)
  

  \path-to-share-folderdata

• For yara-mem and yara-disk scans, the yara rules must be in the same directory where the server is executed from.
  
• The RESTful API server stores data received in a file called results.txt in the same directory.
  

Contributing to rastrea2r project
The Developer Documentation provides complete information on how to contribute to rastrea2r project

Demo videos on Youtube

• Video 1: Incident Response / Triage with rastrea2r on the command line - https://youtu.be/uFIZxqWeSyQ
• Video 2: Remote Yara scans with rastrea2r on the command line - https://youtu.be/cnY1yEslirw
• Video 3: Using rastrea2r with McAfee ePO - Client Tasks & Execution - https://youtu.be/jB17uLtu45Y

Presentations

• rastrea2r at BlackHat Arsenal 2016 (check PDF for documentation on usage and examples) https://www.blackhat.com/us-16/arsenal.html#rastrea2r

  https://github.com/aboutsecurity/Talks-and-Presentations/blob/master/Ismael_Valenzuela-Hunting_for_IOCs_rastrea2r-BH_Arsenal_2016.pdf

• Recording of talk on rastrea2r at the SANS Threat Hunting Summit 2016

  https://www.youtube.com/watch?v=0PvBsL6KKfA&feature=youtu.be&a

Credits & References

• To Robert Gresham Jr. (@rwgresham) and Ryan O'Connor (@_remixed) for their contributions to the Triage module. Thanks folks!
• To Ricardo Dias for the idea of using a REST server and his great paper on how to use Python and Yara with McAfee ePO: http://www.sans.org/reading-room/whitepapers/forensics/intelligence-driven-incident-response-yara-35542

Download Rastrea2R

More info

1. Hacking Tools Hardware
2. Hacker Tools 2020
3. Hacker Tools List
4. Physical Pentest Tools
5. Pentest Tools Tcp Port Scanner
6. Hack App
7. Hacker Tools 2019
8. Pentest Tools Bluekeep
9. Growth Hacker Tools
10. Hack Tools For Games
11. Hacking Tools Usb
12. Hacker Tools Linux
13. Pentest Tools Online
14. Hacking Tools 2019
15. Pentest Tools Port Scanner
16. Hacking Tools Online
17. Hacker Tools Free
18. Pentest Tools Subdomain
19. Hack Tools
20. Hacker Tools Mac
21. Hack Tools For Windows
22. How To Install Pentest Tools In Ubuntu
23. Hacker Tool Kit
24. What Are Hacking Tools
25. Hacking Tools For Kali Linux
26. How To Install Pentest Tools In Ubuntu
27. Hacking App
28. Hack Tools 2019
29. Hacker Tools 2020
30. Hacker Tools Apk Download
31. Pentest Tools Alternative
32. Hacking Tools
33. Pentest Tools Windows
34. Blackhat Hacker Tools
35. Pentest Tools Kali Linux
36. Hacking Tools
37. Hacker
38. Hacker Search Tools
39. Pentest Tools Windows
40. Hack Tools Download
41. Pentest Tools Website
42. Hacking Tools Software
43. Pentest Tools Windows
44. Underground Hacker Sites
45. Pentest Tools Kali Linux
46. Hack Tools Github
47. Install Pentest Tools Ubuntu
48. Hack App
49. Hacker Tools For Pc
50. Hacking Tools For Beginners
51. Hack Apps
52. Hacking App
53. Hacking Tools Online
54. Pentest Tools Website
55. World No 1 Hacker Software
56. Hack Rom Tools
57. Hack Tools
58. Nsa Hack Tools
59. Android Hack Tools Github
60. Pentest Tools Alternative
61. Hack Tool Apk No Root
62. Hacking App
63. Hacker Security Tools
64. Pentest Box Tools Download
65. Hacking Tools Github
66. Pentest Tools Alternative
67. Pentest Tools For Android
68. Pentest Tools Website Vulnerability
69. Hacker Tools
70. Tools For Hacker
71. Hacking Tools For Windows 7
72. Game Hacking
73. Pentest Tools Tcp Port Scanner
74. How To Install Pentest Tools In Ubuntu
75. Pentest Tools Url Fuzzer
76. Hacking Tools Windows 10
77. Hacker Tools For Mac
78. Pentest Tools Bluekeep
79. Pentest Tools For Mac
80. Hacking Tools For Windows 7
81. Pentest Automation Tools
82. Pentest Automation Tools
83. Pentest Box Tools Download
84. Pentest Tools Website
85. Hacking Tools 2019
86. Usb Pentest Tools
87. Hacker Tools Free
88. Hacking Tools Hardware
89. Tools Used For Hacking
90. Hacking Tools For Pc
91. Wifi Hacker Tools For Windows
92. Hack App
93. Hacking Tools For Kali Linux
94. Nsa Hack Tools Download
95. Blackhat Hacker Tools
96. Game Hacking
97. Hacking App
98. Hacker Tools Windows
99. Hacking Tools For Kali Linux
100. Github Hacking Tools
101. Nsa Hack Tools
102. Hacking Tools Online
103. Hacker Techniques Tools And Incident Handling
104. Pentest Tools Alternative
105. Hacking Tools And Software
106. Hacking Tools Github
107. Hack Tool Apk
108. Pentest Tools Find Subdomains
109. Easy Hack Tools
110. Pentest Tools Open Source
111. Hacker Tools For Mac
112. Hack Tools Mac
113. Hacking Tools For Games
114. Hacker Tools List
115. Best Hacking Tools 2020
116. Install Pentest Tools Ubuntu
117. Pentest Tools Website Vulnerability
118. Ethical Hacker Tools
119. Hacker Tools Hardware
120. What Is Hacking Tools
121. Hacker Tools
122. Black Hat Hacker Tools
123. Hacker Tools Mac
124. Hacker Tools Linux
125. Hacking Tools For Games
126. Pentest Tools Subdomain